KB5022895 security update for Windows Server 2012

This content has been archived. But, the content is true and relevant to the underlying technology products or infrastructure services.

KB5022895 is the security-only update for Windows Server 2012. It was released on 14th February as part of the ‘Patch Tuesday’ project. This security update addresses several security vulnerabilities on Windows Server 2012.

KB5022895 has now been succeeded by March 2023 security update. KB5023752 is the security update for Windows Server 2012 for March 2023 Patch Tuesday program. You can read more about KB5023752 on this page.

Key points about KB5022895 for Windows Server 2012

  • KB5022895 is a standalone security update. All the previous security updates for Windows Server 2012 ought to be deployed on the server for full and adequate security.
  • We, strongly, advocate patching the server with the cumulative monthly rollup update for Windows Server 2012 KB5022903 instead of the security update.
  • Servicing Stack Update KB5022923 for Windows Server 2012 needs to be deployed prior to installing KB5022895.
  • The cumulative update for Internet Explorer KB5022835 needs to be deployed prior to installing KB5022895 on Windows Server 2012.
  • There are compatibility issues between language packs and the security update KB5022895. So, if you install a language pack after installing KB5022895, you will need to redeploy the security update. A similar condition is necessary while installing a language pack on Windows Server 2012 and the monthly rollup update KB5022903 on the server. Microsoft suggests installing language packs before the deployment of KB5022895 and KB5022903.
  • 32 security vulnerabilities affect Windows Server 2012 and Windows Server 2012 Server core installation. 3 of these vulnerabilities are ‘CRITICAL’ vulnerabilities with a CVSS score of 9.8. Brief details of these vulnerabilities can be read in the table below.

VulnerabilityCVSSImpact
CVE-2023-216899.8Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) 
CVE-2023-216909.8Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) 
CVE-2023-216929.8Remote Code Execution in Microsoft Protected Extensible Authentication Protocol (PEAP) 

From the brief discussion of key points, we can see that installing the security update would require you to also deploy the cumulative update for Internet explorer and the Servicing Stack Update. If you were to install the monthly rollup update, you will just need to install the Servicing stack update. The cumulative update for Internet explorer is already a part of the monthly rollup update for Windows Server 2012 .

Deploy KB5022895 on Windows Server 2012

You can deploy KB5022895 through WSUS or through the installation of an installer file that can be downloaded from the Microsoft site.

WSUS allows you to import and apply the update automatically.

For manual deployments of the February 2023 security update on Windows Server 2012, there are three essential steps:

  • Download and install KB5022923 servicing stack update
  • Download and install KB5022835 cumulative update for Internet explorer
  • Download and install the security update KB5022895 on Windows Server 2012

Below, we will share the catalog links for each of these updates for Windows Server 2012 for February 2023. We are not sharing direct download links of the MSU update file for obvious security reasons.

For the record, we will like to reiterate that Windows Server 2012 cannot be patched with the Windows Update program for security-only updates. So, you can pick or choose one between the WSUS or manual MSU file deployment on the server.

Issues post-deployment of KB5022895 on Windows Server 2012

As of now, we know that the domain join issue continues to affect Windows Server 2012 which may have been patched with one of the recent security updates or monthly rollup updates. This includes the KB5022895 security update for Windows Server 2012.

A brief issue description that has been shared by Microsoft states the following:

After this update or a later Windows update is installed, domain join operations might be unsuccessful and error “0xaac (2732): NERR_AccountReuseBlockedByPolicy” occurs. Additionally, text stating “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy” might be displayed.

A workaround has been made available and discussed in the security document KB5020276. You may follow the instructions in the document and apply a fix until a permanent solution is made available in one of the future cumulative or security updates for the server.

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.

Leave a Comment